GDPR Data privacy basics

2 Min

International data transfers: 10 steps for compliance with EU privacy laws

Dr. Frank Schemmel
Dr. Frank Schemmel

Schedule a meeting

As the world becomes increasingly interconnected and businesses continue to expand globally, the need to transfer personal data outside the EU has become more prevalent. Most companies must process personal data to conduct their operations, so it is crucial that they follow specific guidelines to ensure compliance with General Data Protection Regulation (GDPR) and other EU data protection laws.

The ruling of the Court of Justice of the European Union (CJEU) in the case of Schrems II and guidance by the European Data Protection Board (EDPB) set the course for international data transfers.

Here are the 10 most important steps that businesses need to follow when transferring personal data outside the EU:

 1. Identify the legal basis for the transfer

Businesses must first determine the legal basis for transferring personal data outside the EU. This could include the performance of a contract, compliance with a legal obligation, or the overriding legitimate interests of the business.

2. Obtain consent

In some cases, it may be necessary to obtain the explicit consent of individuals before transferring their personal data outside the EU. It is especially important for sensitive data, such as health or financial information.

3. Use approved transfer mechanism

There are several approved mechanisms that businesses can use to transfer personal data outside the EU, including standard contractual clauses (SCCs), binding corporate rules (BCRs), and codes of conduct.

Also, there are countries where the EU Commission determined the level of data protection as equivalent to that provided by EU law (e.g. for Canada or Japan). It is important to choose the appropriate mechanism based on the specific circumstances of the transfer.

4. Assess the risks

Before transferring any personal data outside the EU, businesses must assess the risks associated with the transfer via a Transfer Impact Assessment (TIA). A TIA is a crucial step in the process of transferring personal data outside the EU. It involves analysing the potential risks associated with the transfer and determining the appropriate measures to mitigate those risks.

That includes evaluating the laws and practices of the destination country, the type of data being transferred and the potential impact on individuals, including any additional safeguards that may be needed.

5. Implement appropriate safeguards

Businesses must implement appropriate (additional) safeguards to protect the data, if the TIA determines risks associated with the data transfer. This can include standard contractual provisions, technical measures such as encryption or organizational rules (e.g. access rights).

6. Enter into data processing agreements

If the personal data is being transferred to a third party for processing, it is essential to enter into a data processing agreement that clearly outlines the responsibilities and obligations of both parties. The SCCs contain all relevant provisions to comply with the requirements regarding commissioned data processing, i.e. no additional agreements would be necessary if the SCCs are used as a transfer tool.

7. Use encryption and other security measures

Encrypting personal data and implementing additional security measures can help to protect it during the transfer process. Businesses should ensure that they have adequate security measures in place to prevent unauthorized access to personal data.

8. Document the data transfer

Businesses must keep records of their personal data transfers outside the EU, including the purpose of the transfer, the type of data being transferred, and the mechanism used for the transfer.

9. Inform individuals

Individuals have the right to be informed about the transfer of their personal data outside the EU. It includes providing them with information about the destination country, the purpose of the transfer, and the safeguards in place to protect their data. This is usually done via privacy notices on websites or in apps.

10. Conduct regular reviews

It is important to regularly review and monitor the transfer of personal data outside the EU to ensure that it is still compliant with EU data protection laws. This points to re-assessing the risks, the appropriateness of the transfer mechanism, and the effectiveness of the safeguards in place.

This also means staying up-to-date on developments in EU data protection laws and guidance from the EDPB, as these may impact the transfer of personal data outside the EU. If reviews reveal gaps, update policies or procedures accordingly.

By following these 10 steps, businesses can ensure that their data transfers outside the EU are conducted in a manner that protects the personal data of their customers as well as employees and complies with EU data protection laws.

How can DataGuard help?

With DataGuard, not only you have access to our in-house team of privacy and security specialists but also to our web-based platform. There, you can manage your records and privacy notices for international data transfers and your third-party processors.

At the same time, our experts support you in conducting a TIA, finding the proper legal bases for your transfers and consulting you on appropriate safeguards to keep your cross-border data flows privacy compliant.

As we regularly participate in conferences and exchange with authorities, our experts are always up-to-date and flag new developments regarding international data transfers in the respective jour fixe meetings.

Want to learn more about international data transfers? Get in touch with our in-house experts at DataGuard today.

 
Originally published updated
Tags GDPR Data privacy basics

About the author

Dr. Frank Schemmel Dr. Frank Schemmel
Dr. Frank Schemmel

Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, supports DataGuard since 2018 in various management positions (incl. Head of Privacy) and is currently responsible for the company-wide content and strategic design as well as optimization of the DataGuard service lines "Privacy" and "Compliance", a hybrid model of first-class consulting and support through self-developed, scalable software solutions. As a certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all topics of data protection, IT security and general compliance. Before joining DataGuard, he worked for Allen & Overy LLP for five years in the area of data protection and employment law as a consultant and legal project manager. He regularly publishes in relevant media and shares his experience as a lector at universities (Duesseldorf, Augsburg), conference speaker (euroforum Datenschutzkongress, bitkom Privacy Conference, IAPP Data Protection Intensive: Deutschland) and webinar host.

Explore more articles

Don’t miss these topics:

Related Articles

Why resilience requirements are key to long-term business success
Information security

6 Min

Why resilience requirements are key to long-term business success

Discover how resilience strategies, from risk assessment to adaptability training, help businesses reduce financial losses, protect reputation, and retain customers.

Read more
The key components of a compliance risk assessment matrix
Risk management

4 Min

The key components of a compliance risk assessment matrix

Learn why a compliance risk assessment matrix is crucial, its key components, and how it strengthens risk management to protect your organisation.

Read more
From identification to mitigation: Understanding risk assessment methodology
Risk management

6 Min

From identification to mitigation: Understanding risk assessment methodology

Explore the steps and methodologies of risk assessment to manage vulnerabilities, reduce risks, and implement effective mitigation strategies for your business.

Read more
What is policy lifecycle management and why is it important?
Information security

6 Min

What is policy lifecycle management and why is it important?

Effective policy lifecycle management ensures compliance, improves communication, and streamlines updates for continuous improvement and risk reduction.

Read more
How to perform a privacy impact assessment: a step-by-step guide
GDPR

6 Min

How to perform a privacy impact assessment: a step-by-step guide

Learn the essentials of conducting a privacy impact assessment to identify and mitigate data risks, comply with GDPR, and enhance trust and security.

Read more
The benefits of using a risk management framework for risk mitigation
Risk management

5 Min

The benefits of using a risk management framework for risk mitigation

Discover how a risk management framework identifies, prioritises, and mitigates risks to support compliance, resilience, and informed decisions.

Read more

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk